CVE-2026-25136

Name of the Vulnerable Software and Affected Versions Rucio versions prior to 35.8.3 Rucio versions prior to 38.5.4 Rucio versions prior to 39.3.1

Description Rucio software contains a reflected Cross-site Scripting (XSS) issue in the rendering of the ExceptionMessage of the WebUI 500 error. This could allow attackers to steal login session tokens of users who navigate to a specially crafted URL. The issue arises because the ExceptionMessage, which can contain user-controlled input, is rendered as unencoded HTML. Server code in common.py (specifically error headers, error response, and generate http error flask) places the ExceptionMessage into response headers and the JSON body. The WebUI client then injects this text into the Document Object Model (DOM) using unsafe methods like jQuery.html(...) in files such as rule.js, request rule.js, and list rules.js, enabling reflected XSS. An attacker can craft a URL containing a malicious payload, such as an <img src=x onerror=alert(document.cookie)> tag, which will execute when a user visits the URL. This allows the attacker to potentially steal session tokens due to the lack of the HttpOnly attribute on the session cookie and the absence of a Content Security Policy. Exploitation can occur through the account parameter in URLs or during account key attribute creation errors. An attacker could potentially create a new UserPass identity for the root account.

Recommendations For versions prior to 35.8.3, change all client-side insertions of server-provided text from .html(...) to .text() or create text nodes/escape HTML before insertion. For versions prior to 38.5.4, change all client-side insertions of server-provided text from .html(...) to .text() or create text nodes/escape HTML before insertion. For versions prior to 39.3.1, change all client-side insertions of server-provided text from .html(...) to .text() or create text nodes/escape HTML before insertion. Consider adding a Content Security Policy (CSP) to mitigate external script execution. Set the HTTPOnly flag for session cookies. Avoid setting the API token in a JavaScript variable.